Q&A: Michigan State University CIO on his start in security, and the changing identity management landscape
We recently had the opportunity to speak with Rob McCurdy, chief information officer of Michigan State University about enterprise technology, security careers and the evolution of identity management. As CIO, Rob is responsible for leading Michigan State University’s (MSU) technology strategy and managing overall IT operations and services. His current focus is on improving service delivery, delivering new services through new business models; and transforming the MSU technology team to be flexible and adaptable.
Before his role as CIO at the university, Rob served as the university’s chief information security officer for three years. Before MSU, Rob served as the chief information security officer at Farmers insurance and worked as a consultant (with a heavy emphasis on identity management) for Accenture and Crowe Chizek, based in Chicago.
Here’s our edited conversation:
Thanks for taking the time with us today, Rob. Could you tell us a little about your background and how you got started in IT and security?
Growing up, I was always interested in computers and took it upon myself to fool around with them as much as possible and learn what I could on my own. We didn’t have a lot of strong computer courses and definitely no security courses in my high school. So, I did a lot of self-learning, and then, when I went to Michigan State University, I was considering among a couple of different majors and chose computer science engineering. It was a very technical degree that consisted primarily of software development.
Fortunately, I was able to take a few courses that specialized in security. That enabled me to gain some experience in security, and I then knew I wanted to go straight into security out of college.
But, back then, it was quite difficult to go straight into security because security wasn’t prioritized like it is today. It just wasn’t in the headlines. So, there just weren’t that many jobs, and the jobs that were there, they all required five years or more experience. All of that made it difficult to find a position straight out of college.
I think a lot of people would be interested in learning how you successfully made the leap.
I ended up getting lucky. The difficulty in getting a job in security pushed me toward consulting. Consulting was one of the areas where you could go straight into security right out of college. I first worked for a smaller consulting firm. Which again, ended up being very, very lucky for me.
I originally joined to focus on penetration testing and security assessments. But within my first two weeks, I was approached by a new security practice leader about building their identity and access management program.
They asked if I’d be interested in learning more about identity. Of course, I was. Even though I didn’t know anything about it. I was able to learn a lot from a bunch of very smart people and started my work in identity and access management implementations. This provided a lot of value because I was able to see what was happening across a lot of companies.
From there I went to Accenture, a much larger consulting firm. At Accenture I was able to do very similar things, but with much larger clients and global companies. That offered a lot of new challenges, and I was also able to get assigned to some security strategy projects. I was lucky again to get to work with some brilliant people and learn from them.
All of this set me up for a position in financial services. I joined one of the top financial services companies in the world and one of the largest insurers in the United States. There, I had a chance to build up a security program. When I joined, we only had about twenty security people globally, and by the time I left, we had over four hundred.
That experience provided a lot of opportunities because we were able to deploy a number of security processes and frameworks, as well as deploy all the cool security technologies. We really got to do just about anything you could imagine, and we did it globally.
I suspect it was a significant change moving from a CISO position to a CIO role? There can be some inherent conflict with a CISO reporting to a CIO, you’re in a unique position to share thoughts on that.
There can be, and I think we see that in industry. The balance that a CIO has to draw when it pertains to availability and productivity can conflict with security. I think this is why we’re seeing some CISO’s moved from working under the CIO. With the CIO being pressured to deliver value to the business faster, there can be a conflict there if the relationship isn’t properly managed.
It’s certainly a tricky balance, and especially for me, there’s even more of an expectation given my background that we do have excellence in security. This has been a big change for me: having to focus not just on security but balancing all of the business aspects of IT while still ensuring that we’re delivering excellent security.
When it comes to identity management, where do you see most organizations today?
Unfortunately, there are still many organizations that haven’t mastered the basic identity and access management principles yet. There is still a lot of that out there. Things like access re-certification still aren’t happening everywhere it needs to. However, considering the strong growth of cloud applications and service providers, the only way to keep up with it is by maintaining a robust identity lifecycle.
What were the identity management challenges you were experiencing at the university when you sought a new identity management system?
Our primary challenge is that our environment is fully customized. We had essentially built our own fully custom identity and access management and single sign-on systems. Moving from such a system, where every process is highly customized, will bring a lot of unraveling. It was a very positive thing we did because we did want more standardization when it came to how identities are managed. It was also a lot of work.
Another challenge was simply the nature of identity management in a university environment. I hadn’t previously implemented identity management at a university, and there are a lot of challenges introduced that you wouldn’t find in the typical enterprise. You have a student population, an alumni population, contractors, and then you have the traditional employee population.
The number of different user types that you’re dealing with and how much they commingle, as well, can make it very difficult to manage. Then we have all the regulations around student data, in addition to all the other regulations that every company has to deal with.
How would you compare working as a consultant to working as a CIO or CISO on staff?
With consulting, depending on the company and your projects, you often get thrown at a problem and have to figure it out on your own. This happens across all different industries and cultures. You really have to be able to think on your feet. You have to be comfortable not knowing the answer to everything and figuring it out as you go. With experience like that, it’s rare for me to find myself in an uncomfortable scenario.
What have you seen as the most significant changes in identity and access management in the past ten to fifteen years?
It’s been fascinating to watch. From my perspective, identity and access management received a lot of publicity ten to fifteen years ago. Then, interest died down, and today it’s back in the forefront. It’s been interesting seeing this resurgence over the past few years. But, then from the technology landscape, companies such as SailPoint have arrived and have helped to improve how we can manage identity dramatically.
The previous identity management software, those that I actually learned on, would take days just to get a base install setup. That’s not even getting any workflows set up yet, that’s just getting the different pieces of the application talking to each other so you can actually start to configure something.
The amount of work you had to go through was overwhelming.
Thankfully, technology has evolved considerably, and the overall understanding of identity management has come far since the beginning. I see a lot of opportunities today with the state of the technology and the ability to enable the end users.